Cybersecurity in the education space is different from the mid-sized nonprofit IT networks that Community IT typically supports. As we’ve supported education nonprofits we’ve learned a few cybersecurity best practices for charter schools that can help you keep your technology both accessible and safe.
In a nonprofit organization, we know that strong cybersecurity policies include multi-factor authentication, strong passwords, and a commitment to ongoing cybersecurity training for nonprofit staff members. We expect adult users in an office environment to participate collectively in strong cybersecurity to protect the organization overall, an organization in which they have a financial and emotional stake. And lapses in cybersecurity generally are either honest mistakes or the work of a disgruntled employee. Cyber attacks are also expected, but the types of attacks we see are usually generic, where the organization is not a specific target and the hack is one of opportunity.
In a school, many of those basics are turned on their head.
- Students need easy access; make the access too difficult and participation will drop in ways fundamentally different from an employee.
- There is an incentive to simplify account access due to volume. A school may support hundreds or thousands of students; make the cybersecurity too individualized and the IT support (and expenses) will mount. But this can mean security suffers as a “standard” login or initial password is easily exploited.
- An office-based organization rarely has the same level of complexity of account access as a school; students, parents, teachers, and administrators all need various connections and levels of secure access. Privacy concerns can conflict with convenience.
- Any institution with children’s accounts is a specific security target in ways that adult organizations are not; in addition to “generic” opportunistic financial hacking, cybersecurity has to guard against non-financial threats from without and within the online environment, such as sexual predators and bullies.
- Education institutions may be quite sophisticated or very unsophisticated in their technology approaches and comfort level; online education presents additional challenges to novice users, for students, parents, and staff.
- Schools and their students often face funding challenges and financial pressures that are different from office environments; education technology policies have to budget for loss and theft of devices in different ways than other organizations, and long term budget planning can conflict with politics or suffer from frequent changes in decision makers.
Cybersecurity Best Practices for Charter Schools
Clearly, cybersecurity protections are crucial for education technology. Here is the collection of cybersecurity best practices that we’ve developed over years of supporting a range of charter schools.
Equipment and Set Up and Pricing
You can have both Office 365 and G Suite in your environment
Accounts should be originated in Azure AD and then provisioned into G Suite and set up for single-sign-on.
Starting in Azure AD and going to G Suite is currently “free”. You can go from G Suite to Azure AD, but it requires a per user fee.
Microsoft Education has really great discounts, offers a 15-1 licensing benefit from faculty to student accounts and is really affordable.
If your environment uses Microsoft Windows be sure to enroll the computers in AutoPilot (requires Intune license) when they are purchased and then use Intune or another device management tool to deploy your standard configurations and applications.
If your environment uses Chromebooks be sure to get the Enterprise Chrome OS so that you have better management capabilities.
Have a process in place for reviewing and vetting new apps. It’s likely that needs will change during the semester, so have a process in place for teachers to request and manage applications and websites that are specific to their class. This can avoid scenarios when insecure or poorly designed solutions are used for classroom instruction, opening the classroom up to outside access or exploitation.
Student Account Access
Using a Single Sign On (SSO) Dashboard like Clever is a great way to unify logins to the wide range of educational apps that are required. It helps to reduce the number of username and password combinations that your learners need to remember
Good passwords are important! Having young learners means their accounts must be secure and individualized passwords are essential to prevent intrusions. Passwords should be at least 12 characters long and be memorable. We like to use the generator at XKPasswd – Secure Memorable Passwords to generate them.
Student passwords can be known by teachers, but they need to be stored securely. That means no spreadsheets with the passwords and definitely no use of the same password for all students! Many Student Information Systems can securely store a student’s password.
For students we usually turn off the ability for them to reset their own password. Often having a student reset their password can create more problems than the potential security benefit that it provides. If students or administrators need a student to reset their password, it requires help desk assistance and that improves overall tech help communication, too. Have a clear process in place and communicate it clearly so resetting a password doesn’t add frustration into the mix.
Staff and Teachers should protect their accounts with Multi-Factor Authentication (MFA). They have access to so many systems with sensitive data that providing this extra layer of protection is critical.
Turn off services that aren’t needed. If students aren’t required to use email in their education context, then that service should be deactivated for them. Only enable and provide access to the systems that are required for education.
Online Meeting Security
Follow good online meeting practices. Many schools are using Zoom to run their online classrooms. It’s important to restrict access to those virtual classrooms to only authorized accounts associated with the school. Implementing this restriction will reduce the risk of Zoombombing attacks.
For general meetings that are open to the public ensure that you have implemented a waiting room feature. You should also turn off video sharing and screensharing, and mute attendee audio by default. We have more tips at Nonprofit Cybersecurity Tips for Zoom. You could also use Facebook LIVE or Youtube Live for broadcasting content to a large audience.
Bottom Line on Cybersecurity Best Practices for Charter Schools: the security issues are different, but the need for security is, if anything, more important.
At Community IT, we continue to learn and share our education tech best practices with our community. The opportunities for positive technology experiences and mission delivery in the nonprofit education sector are always accompanied by very real security concerns. As remote learning has evolved so rapidly recently it is not surprising that institutions are having trouble keeping up. Having a trusted technology partner to help navigate vendors and help desk support is essential to a successful implementation of any new education technology platform.
Having an assessment and strategic plan/budget in place is crucial to implementing change at speed. Being able to call on existing relationships is also vital. Community IT is relatively rare among MSPs in serving nonprofits exclusively; we understand how nonprofits work and have learned how charter schools operate through our experiences with several clients over the years.
Community IT also is unique in utilizing an IT Business Manager as a central point of contact for our clients and tech teams. Our Business Managers bring deep understanding of nonprofit culture to change management and project implementation. In our recent Remote Learning Implementation Case Study we walk through the role of the IT Business Manager, who utilized his own experience as a parent of a student learning remotely, allowing him to identify the challenges the learners at this charter school client would face, and successfully manage the roll out of a four-year strategic plan in less than three months.
Ready to reduce your nonprofit cybersecurity risk?
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether at a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand cybersecurity best practices for charter schools.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. We published our Nonprofit Cybersecurity: a Guide for 2020 to help our community understand the issues. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
We regularly present webinars at Community IT about cybersecurity issues, to help our community learn practical safety measures we can all take.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.